#!/bin/bash
# 生成ca私钥
path=./certs/
if [ ! -d "$path" ]; then
  mkdir -p "$path"
  echo 
fi
cat << EOF > "$path/v3.ext"
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = blog.me
DNS.3 = test.me
DNS.4 = *.blog.me
DNS.5 = *.test.me
DNS.6 = *.fast.me
DNS.7 = fast.me
DNS.8 = music.me
IP.1 = 192.168.2.88
IP.2 = 127.0.0.1

EOF


##########CA操作###############
openssl genrsa -aes256 -passout pass:demo -out "$path/rootCA.key" 4096


###########服务端操作###############
#用生成的私钥生成自签名CA证书
openssl req -x509 -new -nodes -key "$path/rootCA.key" -newkey rsa:4096 -sha256 -days 3650 -passin pass:demo -out "$path/rootCA.pem" \
    -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=SunFoBank/OU=IT Dept/CN=*.blog.me/emailAddress=admin@blog.me"

#生成server 需要的私钥，并以此私钥签署请求,客户端证书一样,可以该device为client即可
openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout "$path/device.key" -out "$path/device.csr" \
    -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=SunFoBank/OU=IT Dept/CN=*.blog.me/emailAddress=admin@blog.me"

# 私有CA根据请求来签署证书
openssl x509 -req -in "$path/device.csr" -CA "$path/rootCA.pem" -CAkey "$path/rootCA.key" -CAcreateserial -passin pass:demo \
    -out "$path/device.crt" -days 3650 -sha256 -extfile "$path/v3.ext"

